DInvoke
DInvoke copied to clipboard
TheWover
FileNotFoundException in RewriteModuleIAT
I think this is meant to work?
using DInvoke.DynamicInvoke;
using DInvoke.ManualMap;
using Data = DInvoke.Data;
using System;
namespace DInvokeTest
{
class Program
{
static void Main(string[] args)
{
var pid = int.Parse(args[0]);
var map = Overload.OverloadModule(@"C:\Windows\System32\kernel32.dll");
var paramaters = new object[]
{
Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS,
false,
pid
};
var hProcess = (IntPtr)Generic.CallMappedDLLModuleExport(map.PEINFO, map.ModuleBase, "OpenProcess",
typeof(Win32.Delegates.OpenProcess), paramaters);
Console.WriteLine("Handle => 0x" + string.Format("{0:X}", hProcess.ToInt64()));
}
}
}
Unhandled Exception: System.IO.FileNotFoundException: api-ms-win-core-processthreads-l1-1-0.dll, unable to find the specified file.
at DInvoke.ManualMap.Map.RewriteModuleIAT(PE_META_DATA PEINFO, IntPtr ModuleMemoryBase)
at DInvoke.ManualMap.Map.MapModuleToMemory(IntPtr pModule, IntPtr pImage, PE_META_DATA PEINFO)
at DInvoke.ManualMap.Overload.OverloadModule(Byte[] Payload, String DecoyModulePath, Boolean LegitSigned)
at DInvokeTest.Program.Main(String[] args)
Probably a duplicate of https://github.com/cobbr/SharpSploit/issues/58
I think you're right. It works on my machine, but if it is actually a flaw with API Set resolution, then that could happen if you and I have different versions of Windows / APIs.
Thanks for finally finding a test case for this bug! I've marked this as a bug to fix for the next minor version.
Let me know if there's any more information from my end that would be useful.
I think I know what the issue is. If I can't reproduce the error (or simulate it) on my end, I'll ping you later to see if you can test a fix.
Fixed in https://github.com/TheWover/DInvoke/commit/af9f86984a2ce329cb44a97459592f0b191fe252 Will be merged with v1.1.